The report said Goatse Security was able to obtain the e-mail addresses and AT&T associated ID of multiple iPad users via a script on AT&T’s website. The data includes information from high-profile early adopters like White House Chief of Staff Rahm Emanuel and New York City Mayor Michael Bloomberg. The vulnerability has been reported to AT&T and has been fixed but there’s a chance every iPad 3G owner who has used AT&T’s mobile data has been exposed.
and AT&T has not publicly commented as of press time. How was the breach pulled off? Well, according to Gawker:
Goatse Security obtained its data through a script on AT&T’s website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad “Settings” application.
It’s obviously disturbing that AT&T would expose its customer’s e-mail addresses like that but it’s too early to tell how big of an impact this could have on the relationship between Apple and the nation’s second-largest carrier. We know the iPhone had a five-year exclusivity window when it was first released but that could have been renegotiated multiple times over the years. In fact, some analysts believe the relatively low-cost, no-contract data rates on the iPad 3G extended that exclusive deal.
Of course, who wants to use mobile data you can’t trust?
AT&T has reached out to us regarding this story and wanted to add some clarifications. According to an AT&T spokesperson:
AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device … We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.